Continued from page 1
The remote connection utilized VSAT Systems NetModem II (www.vsat-systems.com/satellite-internet/hardware.html) commissioned for 512 Kbps/512 Kbps service to Internet. The host side had a cable modem connection running at 3 Mbps/384 Kbps. The 384 Kbps outbound connection limited ability to test full 512 Kbps download capability of satellite modem, but it did provide adequate results to compare relative speeds of encrypted and unencrypted data coming from host.
The latency of VSAT Systems satellite link (www.vsat-systems.com) used in these tests ranged from approximately 550 ms to 625 ms. Some satellite connections (www.skycasters.com) have much higher latencies. Depending upon satellite hardware and subscription policy of service provider, latencies of 800 ms to as much at 2,000 ms have been observed.
The performance of any shared bandwidth system varies throughout day. To minimize bandwidth effects on results, five iterations of each test ran at different times. To further reduce influence of bandwidth fluctuations, testing sequence progressed through all six files, once in each direction, before repeating transfer of any one file. For example, 500 K text file ran through SLE tunnel, then IPsec circuit, and finally in clear.
Next a 500 K binary file passed through each circuit, and so on. Each interleaved sequence of transfers repeated five times. An efficient VPN solution must do more than simply transfer files proficiently. The time to establish a TCP/IP session can significantly impact how applications run across a high-latency connection. To gain an indication of rate at which connections could establish TCP/IP sessions, test procedure transferred a directory file and a group of web pages back and forth.
The time required to establish a TCP/IP session can have a noticeable impact on performance of some web-enabled applications. Since each file included in a web page requires browser to start a new HTTP connection to server, a page with multiple graphics, framed text, or media in external files will cause a delay as multiple connections open and close. Similar circumstances occur in FTP connections as a client traverses server’s file structure if that action involves multiple files.
To illustrate TCP/IP session initiation efficiency, test protocol included two additional procedures. First, each server transferred a directory containing files of different sizes and composition over and back across connections using FTP. Second, servers moved a series of web pages to and from remote site using HTTP. Since both FTP and HTTP must establish a new connection for each file, this procedure provided a method to assess start/restart timing issues associated with VPN tunnels extended across satellite links. For convenience, FTP and HTTP tests measured total time required to transfer respective data from one side to another, not time to reestablish each individual connection.
Results The 3DES Selective Layer Encryption technology proved consistently faster than IPsec encryption in all three categories: FTP file transfer, FTP directory transfer, and HTTP web page downloads. This is as expected because SLE leaves TCP/IP headers in clear which allows satellite operator to perform IP spoofing or TCP acceleration.
In half of FTP file transfers, Selective Layer Encryption attained higher data transfer rates than unencrypted circuit. Data moved 20% slower over IPsec connection than it did over unencrypted channel when moving from host to remote and 38% slower going from remote to host. Both graph on page 3 entitled FTP to Remote Site and one above labeled FTP from Remote Site present mean values for five iterations of each file type.
Selective Layer Encryption also performed well in TCP/IP intensive tests involving directories and web pages. When downloading directory information to remote site, SLE performed only 7% slower than unencrypted connection compared with 25% for slower IPsec protocol. In opposite direction, SLE connection completed task only 3% behind unencrypted connection while IPsec circuit ran 14% slower.
In web page test, SLE completed task 0.5% faster than unencrypted circuit when moving data from host to remote site. Reversing direction reduced SLE performance relative to clear channel: SLE took 6% longer. The IPsec connection pulled down web pages 5% slower than unencrypted circuit going from host to remote and 66% slower when run from remote site.
As mentioned earlier, satellite latency varies with equipment and service quality. Longer latencies, while affecting all results, will have a more severe impact on IPsec connection than either of other two protocols in this test.
Conclusions Any encryption technique over any connection imposes some performance loss. Performance also suffers as a function of increased latency. Some of geo-synchronous satellite services available today, however, have sufficiently low latencies (550 to 625 ms) that even an IPsec VPN becomes practical.
But as results of these tests clearly indicate, IPsec encryption significantly reduces performance of TCP/IP over a high latency connection. The Encore VSR-30 with Selective Layer Encryption technology combines with VSAT Systems high-end satellite equipment (www.vsat-systems.com) offers an efficient method to achieve fast, secure 3DES encryption when using a satellite link to access public Internet.